aerial view of campus

Security Guidance for Flexible Working

Security Guidance for Flexible Working

As the University transitions to a hybrid work model of both on-campus and remote work, it is important to minimize any risk to University and personal information. This document recaps and consolidates guidance and tips for safe computing, generally extracted from our established MSU computing policies.

Client Workstation Use

When should I use University-issued versus personal workstations?

We strongly recommend that employees who have a desktop or laptop issued and managed by the University should use that machine for all business and education-related activities, whether working remotely or while on campus. These machines are centrally managed by IT and/or your college’s local technology team and are configured with additional security settings that may not be present on a personally owned or personally configured machine.  Employees should avoid sharing their University-issued computer with family members or using it for non-work related activities like casual web browsing, streaming entertainment, online shopping, etc. as those activities can increase the risk of exposure to malware.

Employees must report the misplacement, theft, or loss of a University-issued device (or any device that has been used to store University related information) to their local police station (or University campus police if the loss occurs on campus), their direct supervisor, and the IT Service Desk (or your college’s local technology team) as soon as possible. Please also provide the issued police report when you receive it.

We also strongly recommend that use of personally acquired/managed computing devices (including personally managed computers acquired with University grant or startup funds) and public machines (such as a shared library workstation) for work-related duties be limited to:

a. Accessing your University email account

b. Browsing the public web/internet

c. Accessing campus applications (NEST, Banner, etc.) and approved Cloud services
(Google Calendar, Google Drive, Canvas, Workday, Zoom, etc.) with your NetID

d. Developing educational materials or performing research that do not involve sensitive
University data

You are accountable for following the guidelines below whether using University-managed or personal computing devices for work-related purposes.

Client Security Tips

Workstations  (e.g. laptops and desktops)

  1. When using any computer, whether managed by the University or by yourself:

a. To minimize risk of data loss or compromise due to hardware failures or security exposures, avoid retaining data on the device’s internal storage (C: drive). Instead, store University data on the MSUFiles file server or Google Drive. If you have temporarily copied files from a central storage location (e.g. MSUFiles), please delete them from the device’s internal storage when you are finished working with them.

b. Log out of the client device when not actively using it.

c. Explicitly put a laptop into sleep/shutdown mode when not actively being used (that is, do not just close the laptop cover) to ensure full Windows Bitlocker or MacOS FileVault encryption protection.

d. Do not leave a running laptop unattended outside of private and secure work spaces.

e. Perform a full reboot of the client device at least once every few days to ensure that security, operating system and other application updates are applied regularly.

  1. When using University-managed computers:

a. Apply all updates when prompted by the system as they are distributed via the University’s device management system.

b. If granted a local administrative access exception, do not install non-work related applications, plug-ins, or other software.

  1. If using a personal (non-University-managed) computer for work-related needs:

a. Make sure your computer is kept up-to-date with all operating system and software patches, applied weekly or more frequently.

b. Do not access sensitive data using personal computers that cannot be updated with the latest patches and/or are not running the latest supported operating system.

c. Always use antivirus software and check that it is running and actively updating. If you do not have anti-virus software, you can download Sophos Antivirus by logging into the MSU Software Repository.

d. Do not store any sensitive University data on your device.  Instead access it through Google Drive and/or MSUFiles (including Shared O: and N: Drives). 

e. Do not use your NetID password as the login to your personal computer or for any other personal online account logins. This can help to protect your NetID account if your personal computer is compromised by malware or other security issues.

Mobile devices (e.g. smartphones, tablets)

Whether using a University-issued or personal phone/tablet, for the protection of University data as well as your own data (i.e. contact lists, calendars, photos, texts, etc.), enable screen-lock on the device using either a PIN or biometric (face or fingerprint recognition) feature.  Also, regularly update the device to the latest version of the operating system to ensure patching of any known security vulnerabilities.

Avoid accessing sensitive data from mobile devices and/or tablets that have not been updated to the latest operating system.

Data handling

If there is a need to share files that contain sensitive information with other MSU employees, do not use unencrypted email. Instead use the MSU File Hawk secure document distribution system found at:

 http://msufilehawk.dos5.net 

An overview of how to send sensitive information can be found on the MSU File Hawk website.

Alternatively, you may securely email sensitive information by moving it to an encrypted attachment, e.g. using Microsoft Office documents or Adobe Acrobat encryption capabilities, and then communicating the password by any other means or at least by separate email.  An overview of this process can be found in our How to Password Protect and Encrypt a File document.

Always store sensitive information on on the MSU-managed central file server known as MSUFiles (including Shared O: and N: drives) or on an approved cloud service like MSU’s Google Workspace (i.e. Google Drive) when appropriate. Google Drive may be used to store most work-related documents with the exception of highly sensitive information classified as “Private”, such as social security numbers or health information (refer to the Data Classification and Use Policy for full list).  “Private” information should be stored on MSUFiles.

Remote network access

  1. Be very cautious when connecting to wireless networks off-campus in public spaces such as restaurants, airports, etc. These public wireless networks are often not using a secure connection (i.e. encryption) between your device and the wireless access point. This means it is possible for information traveling between your device and the access point to be intercepted and viewed.
  2. Be sure that you have set a password on your home wireless network, which will prevent unwanted access to your home or apartment  WiFi network by neighbors or anyone within range of your wireless router’s signal.

VPN: Remote access to applications restricted to on-campus access

To access an application remotely that is restricted to only on-campus use (such as MSUFiles, Call Center soft phones, some Banner/NEST functions, and reporting tools like COGNOS and Tableau), you must first connect to the campus network through the VPN service. You can connect to the campus VPN  by launching the “Cisco AnyConnect” VPN application on your university-managed device and logging in with your NetID and password. You will also need to use DUO multi-factor authentication when logging into the VPN by typing the word “push” into the 2nd password field of the AnyConnect client application.  See the following VPN user guide for more information:

http://7ycl.dos5.net/information-technology/campus-vpn-remote-access-guide/

If you need to have the VPN client software installed on your personal computer, please refer to the section in the guide on “Connecting to the VPN with Cisco AnyConnect” and select your operating system.

Protect yourself against phishing

    1. When reading emails, be extra vigilant in regards to possible phishing scam messages.
    2. Do not click links or download files attached to an email that you are not expecting or from someone you do not recognize. Attempt to contact the sender directly first if you are unsure.
    3. Move your cursor over a URL/link and check that the resulting link displayed (usually in the bottom bar of your browser or email client) does not appear suspicious.
    4. Continue to be aware of “social engineering” attacks such as someone posing as a colleague or manager and asking you (often with a sense of urgency) to provide information or perform uncommon tasks (e.g. “Please purchase four gift cards and send them to this address.”)

Where can I find more information about the University’s information security policies?

All current policies related to information security, the handling of sensitive data, and general usage guidelines can be found on the University’s policy web page at:

http://7ycl.dos5.net/policies/category/technology/

The three policies at the above link that are most relevant to flexible or remote working are:

    1. Responsible Use of Computing Policy
    2. Data Classification and Use Policy
    3. Google Drive Usage Guidelines